diff --git a/docs/firmware-design.md b/docs/firmware-design.md index 52667e2..417ef62 100644 --- a/docs/firmware-design.md +++ b/docs/firmware-design.md @@ -41,6 +41,9 @@ management framework and its design can be found in [ARM Trusted Firmware Interrupt Management Design guide][INTRG] [4]. +The ARM Trusted Firmware can be built to support either AArch64 or AArch32 +execution state. + 2. Cold boot ------------- @@ -55,15 +58,23 @@ Refer to the [Reset Design] for more information on the effect of the `COLD_BOOT_SINGLE_CPU` platform build option. -The cold boot path in this implementation of the ARM Trusted Firmware is divided -into five steps (in order of execution): +The cold boot path in this implementation of the ARM Trusted Firmware, +depends on the execution state. +For AArch64, it is divided into five steps (in order of execution): * Boot Loader stage 1 (BL1) _AP Trusted ROM_ * Boot Loader stage 2 (BL2) _Trusted Boot Firmware_ -* Boot Loader stage 3-1 (BL31) _EL3 Runtime Firmware_ +* Boot Loader stage 3-1 (BL31) _EL3 Runtime Software_ * Boot Loader stage 3-2 (BL32) _Secure-EL1 Payload_ (optional) * Boot Loader stage 3-3 (BL33) _Non-trusted Firmware_ +For AArch32, it is divided into four steps (in order of execution): + +* Boot Loader stage 1 (BL1) _AP Trusted ROM_ +* Boot Loader stage 2 (BL2) _Trusted Boot Firmware_ +* Boot Loader stage 3-2 (BL32) _EL3 Runtime Software_ +* Boot Loader stage 3-3 (BL33) _Non-trusted Firmware_ + ARM development platforms (Fixed Virtual Platforms (FVPs) and Juno) implement a combination of the following types of memory regions. Each bootloader stage uses one or more of these memory regions. @@ -80,8 +91,9 @@ The sections below provide the following details: * initialization and execution of the first three stages during cold boot -* specification of the BL31 entrypoint requirements for use by alternative - Trusted Boot Firmware in place of the provided BL1 and BL2 +* specification of the EL3 Runtime Software (BL31 for AArch64 and BL32 for + AArch32) entrypoint requirements for use by alternative Trusted Boot + Firmware in place of the provided BL1 and BL2 ### BL1 @@ -119,10 +131,11 @@ BL1 sets up simple exception vectors for both synchronous and asynchronous exceptions. The default behavior upon receiving an exception is to populate - a status code in the general purpose register `X0` and call the + a status code in the general purpose register `X0/R0` and call the `plat_report_exception()` function (see the [Porting Guide]). The status code is one of: + For AArch64: 0x0 : Synchronous exception from Current EL with SP_EL0 0x1 : IRQ exception from Current EL with SP_EL0 0x2 : FIQ exception from Current EL with SP_EL0 @@ -140,12 +153,24 @@ 0xe : FIQ exception from Lower EL using aarch32 0xf : System Error exception from Lower EL using aarch32 + For AArch32: + 0x10 : User mode + 0x11 : FIQ mode + 0x12 : IRQ mode + 0x13 : SVC mode + 0x16 : Monitor mode + 0x17 : Abort mode + 0x1a : Hypervisor mode + 0x1b : Undefined mode + 0x1f : System mode + The `plat_report_exception()` implementation on the ARM FVP port programs the Versatile Express System LED register in the following format to indicate the occurence of an unexpected exception: SYS_LED[0] - Security state (Secure=0/Non-Secure=1) SYS_LED[2:1] - Exception Level (EL3=0x3, EL2=0x2, EL1=0x1, EL0=0x0) + For AArch32 it is always 0x0 SYS_LED[7:3] - Exception Class (Sync/Async & origin). This is the value of the status code @@ -155,11 +180,12 @@ BL1 does not expect to receive any exceptions other than the SMC exception. For the latter, BL1 installs a simple stub. The stub expects to receive a limited set of SMC types (determined by their function IDs in the general - purpose register `X0`): + purpose register `X0/R0`): - `BL1_SMC_RUN_IMAGE`: This SMC is raised by BL2 to make BL1 pass control - to BL31 (loaded by BL2) at EL3. + to EL3 Runtime Software. - All SMCs listed in section "BL1 SMC Interface" in the [Firmware Update] - Design Guide. + Design Guide are supported for AArch64 only. These SMCs are currently + not supported when BL1 is built for AArch32. Any other SMC leads to an assertion failure. @@ -169,7 +195,7 @@ specific reset handler function (see the section: "CPU specific operations framework"). -* Control register setup +* Control register setup (for AArch64) - `SCTLR_EL3`. Instruction cache is enabled by setting the `SCTLR_EL3.I` bit. Alignment and stack alignment checking is enabled by setting the `SCTLR_EL3.A` and `SCTLR_EL3.SA` bits. Exception endianness is set to @@ -192,6 +218,29 @@ - `DAIF`. The SError interrupt is enabled by clearing the SError interrupt mask bit. +* Control register setup (for AArch32) + - `SCTLR`. Instruction cache is enabled by setting the `SCTLR.I` bit. + Alignment checking is enabled by setting the `SCTLR.A` bit. + Exception endianness is set to little-endian by clearing the + `SCTLR.EE` bit. + + - `SCR`. The `SCR.SIF` bit is set to disable instruction fetches from + Non-secure memory when in secure state. + + - `CPACR`. Allow execution of Advanced SIMD instructions at PL0 and PL1, + by clearing the `CPACR.ASEDIS` bit. Access to the trace functionality + is configured not to trap to undefined mode by clearing the + `CPACR.TRCDIS` bit. + + - `NSACR`. Enable non-secure access to Advanced SIMD functionality and + system register access to implemented trace registers. + + - `FPEXC`. Enable access to the Advanced SIMD and floating-point + functionality from all Exception levels. + + - `CPSR.A`. The Asynchronous data abort interrupt is enabled by clearing + the Asynchronous data abort interrupt mask bit. + #### Platform initialization On ARM platforms, BL1 performs the following platform initializations: @@ -233,14 +282,13 @@ "Failed to load BL2 firmware." - If the load is successful, BL1 updates the limits of the remaining free - trusted SRAM. It also populates information about the amount of trusted - SRAM used by the BL2 image. The exact load location of the image is - provided as a base address in the platform header. Further description of - the memory layout can be found later in this document. + BL1 calculates the amount of Trusted SRAM that can be used by the BL2 + image. The exact load location of the image is provided as a base address + in the platform header. Further description of the memory layout can be + found later in this document. -3. BL1 passes control to the BL2 image at Secure EL1, starting from its load - address. +3. BL1 passes control to the BL2 image at Secure EL1 (for AArch64) or at + Secure SVC mode (for AArch32), starting from its load address. 4. BL1 also passes information about the amount of trusted SRAM used and available for use. This information is populated at a platform-specific @@ -249,16 +297,21 @@ ### BL2 -BL1 loads and passes control to BL2 at Secure-EL1. BL2 is linked against and -loaded at a platform-specific base address (more information can be found later -in this document). The functionality implemented by BL2 is as follows. +BL1 loads and passes control to BL2 at Secure-EL1 (for AArch64) or at Secure +SVC mode (for AArch32) . BL2 is linked against and loaded at a platform-specific +base address (more information can be found later in this document). +The functionality implemented by BL2 is as follows. #### Architectural initialization -BL2 performs minimal architectural initialization required for subsequent -stages of the ARM Trusted Firmware and normal world software. EL1 and EL0 are -given access to Floating Point & Advanced SIMD registers by clearing the -`CPACR.FPEN` bits. +For AArch64, BL2 performs the minimal architectural initialization required +for subsequent stages of the ARM Trusted Firmware and normal world software. +EL1 and EL0 are given access to Floating Point and Advanced SIMD registers +by clearing the `CPACR.FPEN` bits. + +For AArch32, the minimal architectural initialization required for subsequent +stages of the ARM Trusted Firmware and normal world software is taken care of +in BL1 as both BL1 and BL2 execute at PL1. #### Platform initialization @@ -270,10 +323,20 @@ * Enable the MMU and map the memory it needs to access. * Perform platform security setup to allow access to controlled components. * Reserve some memory for passing information to the next bootloader image - (BL31) and populate it. + EL3 Runtime Software and populate it. * Define the extents of memory available for loading each subsequent bootloader image. +#### Image loading in BL2 + +Image loading scheme in BL2 depends on `LOAD_IMAGE_V2` build option. If the +flag is disabled, the BLxx images are loaded, by calling the respective +load_blxx() function from BL2 generic code. If the flag is enabled, the BL2 +generic code loads the images based on the list of loadable images provided +by the platform. BL2 passes the list of executable images provided by the +platform to the next handover BL image. By default, this flag is disabled for +AArch64 and the AArch32 build is supported only if this flag is enabled. + #### SCP_BL2 (System Control Processor Firmware) image load Some systems have a separate System Control Processor (SCP) for power, clock, @@ -285,15 +348,16 @@ memory. The SCP executes SCP_BL2 and signals to the Application Processor (AP) for BL2 execution to continue. -#### BL31 (EL3 Runtime Firmware) image load +#### EL3 Runtime Software image load -BL2 loads the BL31 image from platform storage into a platform-specific address -in trusted SRAM. If there is not enough memory to load the image or image is -missing it leads to an assertion failure. If the BL31 image loads successfully, -BL2 updates the amount of trusted SRAM used and available for use by BL31. -This information is populated at a platform-specific memory address. +BL2 loads the EL3 Runtime Software image from platform storage into a platform- +specific address in trusted SRAM. If there is not enough memory to load the +image or image is missing it leads to an assertion failure. If `LOAD_IMAGE_V2` +is disabled and if image loads successfully, BL2 updates the amount of trusted +SRAM used and available for use by EL3 Runtime Software. This information is +populated at a platform-specific memory address. -#### BL32 (Secure-EL1 Payload) image load +#### AArch64 BL32 (Secure-EL1 Payload) image load BL2 loads the optional BL32 image from platform storage into a platform- specific region of secure memory. The image executes in the secure world. BL2 @@ -309,14 +373,14 @@ BL2 loads the BL33 image (e.g. UEFI or other test or boot software) from platform storage into non-secure memory as defined by the platform. -BL2 relies on BL31 to pass control to BL33 once secure state initialization is -complete. Hence, BL2 populates a platform-specific area of memory with the -entrypoint and Saved Program Status Register (`SPSR`) of the normal world -software image. The entrypoint is the load address of the BL33 image. The -`SPSR` is determined as specified in Section 5.13 of the [PSCI PDD] [PSCI]. This -information is passed to BL31. +BL2 relies on EL3 Runtime Software to pass control to BL33 once secure state +initialization is complete. Hence, BL2 populates a platform-specific area of +memory with the entrypoint and Saved Program Status Register (`SPSR`) of the +normal world software image. The entrypoint is the load address of the BL33 +image. The `SPSR` is determined as specified in Section 5.13 of the [PSCI PDD] +[PSCI]. This information is passed to the EL3 Runtime Software. -#### BL31 (EL3 Runtime Firmware) execution +#### AArch64 BL31 (EL3 Runtime Software) execution BL2 execution continues as follows: @@ -331,7 +395,7 @@ 3. BL1 passes control to BL31 at the specified entrypoint at EL3. -### BL31 +### AArch64 BL31 The image for this stage is loaded by BL2 and BL1 passes control to BL31 at EL3. BL31 executes solely in trusted SRAM. BL31 is linked against and @@ -394,29 +458,30 @@ Details about the status of the PSCI implementation are provided in the "Power State Coordination Interface" section below. -#### BL32 (Secure-EL1 Payload) image initialization +#### AArch64 BL32 (Secure-EL1 Payload) image initialization If a BL32 image is present then there must be a matching Secure-EL1 Payload Dispatcher (SPD) service (see later for details). During initialization that service must register a function to carry out initialization of BL32 once the runtime services are fully initialized. BL31 invokes such a -registered function to initialize BL32 before running BL33. +registered function to initialize BL32 before running BL33. This initialization +is not necessary for AArch32 SPs. Details on BL32 initialization and the SPD's role are described in the "Secure-EL1 Payloads and Dispatchers" section below. #### BL33 (Non-trusted Firmware) execution -BL31 initializes the EL2 or EL1 processor context for normal-world cold -boot, ensuring that no secure state information finds its way into the -non-secure execution state. BL31 uses the entrypoint information provided -by BL2 to jump to the Non-trusted firmware image (BL33) at the highest -available Exception Level (EL2 if available, otherwise EL1). +EL3 Runtime Software initializes the EL2 or EL1 processor context for normal- +world cold boot, ensuring that no secure state information finds its way into +the non-secure execution state. EL3 Runtime Software uses the entrypoint +information provided by BL2 to jump to the Non-trusted firmware image (BL33) +at the highest available Exception Level (EL2 if available, otherwise EL1). -### Using alternative Trusted Boot Firmware in place of BL1 and BL2 +### Using alternative Trusted Boot Firmware in place of BL1 & BL2 (AArch64 only) Some platforms have existing implementations of Trusted Boot Firmware that -would like to use ARM Trusted Firmware BL31 for the EL3 Runtime Firmware. To +would like to use ARM Trusted Firmware BL31 for the EL3 Runtime Software. To enable this firmware architecture it is important to provide a fully documented and stable interface between the Trusted Boot Firmware and BL31. @@ -521,6 +586,85 @@ platform power management code is then invoked as required to initialize all necessary system, cluster and CPU resources. +### AArch32 EL3 Runtime Software entrypoint interface + +To enable this firmware architecture it is important to provide a fully +documented and stable interface between the Trusted Boot Firmware and the +AArch32 EL3 Runtime Software. + +Future changes to the entrypoint interface will be done in a backwards +compatible way, and this enables these firmware components to be independently +enhanced/updated to develop and exploit new functionality. + +#### Required CPU state when entering during cold boot + +This function must only be called by the primary CPU. + +On entry to this function the calling primary CPU must be executing in AArch32 +EL3, little-endian data access, and all interrupt sources masked: + + PSTATE.AIF = 0x7 + SCTLR.EE = 0 + +R0 and R1 are used to pass information from the Trusted Boot Firmware to the +platform code in AArch32 EL3 Runtime Software: + + R0 : Reserved for common Trusted Firmware information + R1 : Platform specific information + +##### Use of the R0 and R1 parameters + +The parameters are platform specific and the convention is that `R0` conveys +information regarding the BL3x images from the Trusted Boot firmware and `R1` +can be used for other platform specific purpose. This convention allows +platforms which use ARM Trusted Firmware's BL1 and BL2 images to transfer +additional platform specific information from Secure Boot without conflicting +with future evolution of the Trusted Firmware using `R0` to pass a `bl_params` +structure. + +The AArch32 EL3 Runtime Software is responsible for entry into BL33. This +information can be obtained in a platform defined manner, e.g. compiled into +the AArch32 EL3 Runtime Software, or provided in a platform defined memory +location by the Trusted Boot firmware, or passed from the Trusted Boot Firmware +via the Cold boot Initialization parameters. This data may need to be cleaned +out of the CPU caches if it is provided by an earlier boot stage and then +accessed by AArch32 EL3 Runtime Software before the caches are enabled. + +When using AArch32 EL3 Runtime Software, the ARM development platforms pass a +`bl_params` structure in `R0` from BL2 to be interpreted by AArch32 EL3 Runtime +Software platform code. + +##### MMU, Data caches & Coherency + +AArch32 EL3 Runtime Software must not depend on the enabled state of the MMU, +data caches or interconnect coherency in its entrypoint. They must be explicitly +enabled if required. + +##### Data structures used in cold boot interface + +The AArch32 EL3 Runtime Software cold boot interface uses `bl_params` instead +of `bl31_params`. The `bl_params` structure is based on the convention +described in AArch64 BL31 cold boot interface section. + +#### Required CPU state for warm boot initialization + +When requesting a CPU power-on, or suspending a running CPU, AArch32 EL3 +Runtime Software must ensure execution of a warm boot initialization entrypoint. +If ARM Trusted Firmware BL1 is used and the PROGRAMMABLE_RESET_ADDRESS build +flag is false, then AArch32 EL3 Runtime Software must ensure that BL1 branches +to the warm boot entrypoint by arranging for the BL1 platform function, +plat_get_my_entrypoint(), to return a non-zero value. + +In this case, the warm boot entrypoint must be in AArch32 EL3, little-endian +data access and all interrupt sources masked: + + PSTATE.AIF = 0x7 + SCTLR.EE = 0 + +The warm boot entrypoint may be implemented by using the ARM Trusted Firmware +`psci_warmboot_entrypoint()` function. In that case, the platform must fulfil +the pre-requisites mentioned in the [PSCI Library integration guide] +[PSCI Lib guide]. 3. EL3 runtime services framework ---------------------------------- @@ -536,7 +680,7 @@ different providers that can be easily integrated into final product firmware. The following sections describe the framework which facilitates the registration, initialization and use of runtime services in EL3 Runtime -Firmware (BL31). +Software (BL31). The design of the runtime services depends heavily on the concepts and definitions described in the [SMCCC], in particular SMC Function IDs, Owning @@ -562,7 +706,7 @@ [SMCCC] provides for such SMCs with the Trusted OS Call and Trusted Application Call OEN ranges. - The interface between the EL3 Runtime Firmware and the Secure-EL1 Payload is + The interface between the EL3 Runtime Software and the Secure-EL1 Payload is not defined by the [SMCCC] or any other standard. As a result, each Secure-EL1 Payload requires a specific Secure Monitor that runs as a runtime service - within ARM Trusted Firmware this service is referred to as the @@ -1192,13 +1336,13 @@ on FVP, BL31 and TSP need to know the limit address that their PROGBITS sections must not overstep. The platform code must provide those. -Trusted Firmware provides a mechanism to verify at boot time that the memory -to load a new image is free to prevent overwriting a previously loaded image. -For this mechanism to work, the platform must specify the memory available in -the system as regions, where each region consists of base address, total size -and the free area within it (as defined in the `meminfo_t` structure). Trusted -Firmware retrieves these memory regions by calling the corresponding platform -API: +When LOAD_IMAGE_V2 is disabled, Trusted Firmware provides a mechanism to +verify at boot time that the memory to load a new image is free to prevent +overwriting a previously loaded image. For this mechanism to work, the platform +must specify the memory available in the system as regions, where each region +consists of base address, total size and the free area within it (as defined +in the `meminfo_t` structure). Trusted Firmware retrieves these memory regions +by calling the corresponding platform API: * `meminfo_t *bl1_plat_sec_mem_layout(void)` * `meminfo_t *bl2_plat_sec_mem_layout(void)` @@ -1259,6 +1403,17 @@ +----------+ +When LOAD_IMAGE_V2 is enabled, Trusted Firmware does not provide any mechanism +to verify at boot time that the memory to load a new image is free to prevent +overwriting a previously loaded image. The platform must specify the memory +available in the system for all the relevant BL images to be loaded. + +For example, in the case of BL1 loading BL2, `bl1_plat_sec_mem_layout()` will +return the region defined by the platform where BL1 intends to load BL2. The +`load_image()` function performs bounds check for the image size based on the +base and maximum image size provided by the platforms. Platforms must take +this behaviour into account when defining the base/size for each of the images. + #### Memory layout on ARM development platforms The following list describes the memory layout on the ARM development platforms: @@ -1276,29 +1431,31 @@ Juno, BL1 resides in flash memory at address `0x0BEC0000`. BL1 read-write data are relocated to the top of Trusted SRAM at runtime. -* BL31 is loaded at the top of the Trusted SRAM, such that its NOBITS - sections will overwrite BL1 R/W data. This implies that BL1 global variables - remain valid only until execution reaches the BL31 entry point during - a cold boot. +* EL3 Runtime Software, BL31 for AArch64 and BL32 for AArch32 (e.g. SP_MIN), + is loaded at the top of the Trusted SRAM, such that its NOBITS sections will + overwrite BL1 R/W data. This implies that BL1 global variables remain valid + only until execution reaches the EL3 Runtime Software entry point during a + cold boot. -* BL2 is loaded below BL31. +* BL2 is loaded below EL3 Runtime Software. -* On Juno, SCP_BL2 is loaded temporarily into the BL31 memory region and - transfered to the SCP before being overwritten by BL31. +* On Juno, SCP_BL2 is loaded temporarily into the EL3 Runtime Software memory + region and transfered to the SCP before being overwritten by EL3 Runtime + Software. -* BL32 can be loaded in one of the following locations: +* BL32 (for AArch64) can be loaded in one of the following locations: * Trusted SRAM * Trusted DRAM (FVP only) * Secure region of DRAM (top 16MB of DRAM configured by the TrustZone controller) - When BL32 is loaded into Trusted SRAM, its NOBITS sections are allowed to - overlay BL2. This memory layout is designed to give the BL32 image as much - memory as possible when it is loaded into Trusted SRAM. + When BL32 (for AArch64) is loaded into Trusted SRAM, its NOBITS sections + are allowed to overlay BL2. This memory layout is designed to give the + BL32 image as much memory as possible when it is loaded into Trusted SRAM. -The memory regions for the overlap detection mechanism at boot time are -defined as follows (shown per API): +When LOAD_IMAGE_V2 is disabled the memory regions for the overlap detection +mechanism at boot time are defined as follows (shown per API): * `meminfo_t *bl1_plat_sec_mem_layout(void)` @@ -1343,6 +1500,7 @@ layout of the other images in Trusted SRAM. **FVP with TSP in Trusted SRAM (default option):** +(These diagrams only cover the AArch64 case) Trusted SRAM 0x04040000 +----------+ loaded by BL2 ------------------